BYOD Lawsuits Loom as Work Gets Personal

Will BYOD lead to a rash of lawsuits from employees who feel violated? Or maybe a headline-grabbing, class-action lawsuit? Your company better make sure it has an explicit terms-of-use BYOD agreement. Here are ways companies can protect themselves.

Like most tragic love stories, the "Bring Your Own Device" affair has come to an abrupt end, a bitter breakup looms, and lawyers are circling.

In the early days of BYOD, say, last year, employees- especially Millennials-fell madly in love with the idea of using their own iPhones, Android smartphones and newfangled tablets for work. They could finally ditch corporate-issued BlackBerrys. BYOD ushered in a new era of consumer tech in the enterprise, one that promised employees and employers will live happily ever after.

Employees are questioning the intrusion of corporate eyes on their personal devices. Did IT turn their beloved smartphone into a spy that tracks their whereabouts? Employees are beginning to sense companies taking advantage of BYOD by intruding on personal time to get free work time.

Now they're thinking about suing.

"I anticipate a bunch of little [lawsuits], then something big will happen that'll be a class action and become headline news," says CEO John Marshall at AirWatch, an enterprise mobile device management (MDM) vendor with 6,500 customers, including Lowe's, United Airlines and Best Buy.

It has already started. A lawsuit currently winding its way in a federal court in Chicago claims that the city owes some 200 police officers millions of dollars in overtime back pay because officers were pressured into answering work-related calls and emails over department-issued BlackBerrys during off-hours.

While this particular case doesn't involve BYOD, there's no question BYOD blurs the line even more between work life and personal life.

If a CIO has hourly employees with BYOD smartphones, she might want to leverage MDM to control email delivery to those devices. That is, an employer can set a business rule that won't allow delivery of corporate email to a subset of users during off-hours. Or a CIO can address this issue in the BYOD terms-of-use agreement.

While not dispensing legal advice, Marshall offers up another legal nightmare scenario: Lacking MDM tools to block out what can and cannot be seen on a BYOD smartphone, a help desk technician notices that an employee's device has a lot of personal apps about a health problem-and mentions his concern to the employee in the cafeteria.

"The employee can say, 'How in the world did you know that?'" Marshall says. "All of a sudden, something that's very benign and innocuous turns into something that's blown out of proportion."

Again, a comprehensive BYOD terms-of-use agreement, along with transparency about the capabilities and limitations of the technology, will help ward off such scenarios. The IT staff also needs to be educated about their role in a BYOD environment, says Marshall.

However, this doesn't mean problems won't crop up.

Part of the problem is that BYOD often puts business unit managers who aren't well-versed in technical user agreements in a leadership position with mobile apps. They're likely to give the green-light to rogue mobile apps that violate such agreements.

For instance, employees are chiefly concerned about privacy and especially location-based services with BYOD, and so many user agreements stipulate that apps will not collect location-based information. But then someone wants to be helpful and builds a map app for the corporate campus that allows employees to schedule conference rooms and find safety information, such as where to go if there's a tornado.

"Maybe there's also a button on there that says where you are in the campus," Marshall says. "All of a sudden people wake up and realize that every single device using that app is collecting location-based information-that's an issue."

Sound far-fetched? "These are really plausible scenarios," Marshall adds. "There's so much copy and paste and reuse of all these components that these things can happen very innocently."

AirWatch CEO John Marshall

Then there's the dreaded remote wipe, which can land a company in some legal hot water.

Just last year, CIOs said they felt comfortable with BYOD because they held security's holy grail: remote wipe, a scorched-earth capability for wiping all data on a mobile device. (For more on this, check out BYOD Troubleshoot: Security and Cost Savings.)

But employees weren't happy with the idea that the company can wipe personal data on their personal device. Some employees refused to participate in the BYOD program for this reason. Others waited days or weeks before reporting a lost or stolen device so that IT wouldn't wipe it. In late 2010, NPR told the story of a woman's BYOD iPhone mistakenly wiped by her employer, resulting in lost contacts and photos.

MDM software advanced quickly and seemed to come up with a fix. Now companies can wipe only corporate apps from a BYOD smartphone or tablet, leaving personal apps untouched. In fact, AirWatch won't even allow a full device wipe anymore for legal reasons.

While this helps tremendously, it doesn't completely solve the problem.

Let's say a company buys the popular productivity app, Evernote, for employees to put on their BYOD smartphones. Since the company paid for the app, the company can remove it at any time. The note-taking app collects company data but also might store personal data, too. An employee can use Evernote to create a shopping list, recipes, vacation plans, or perhaps something more critical to their job.

Guess what happens to this personal data when the employee leaves the company? The app, along with all the data, is wiped from the device and account. If the BYOD terms-of-use agreement regarding Evernote wasn't spelled out clearly, who is liable for the lost data?

The bloom is off the BYOD rose, and so companies had better add protections against employee lawsuits in the BYOD terms-of-use agreement and leverage MDM to ensure the agreement is followed.

Truth is, employees tend to get a bit emotional when their privacy is being violated or their location is being tracked via a mobile device that they personally own. They don't like their personal data to be wiped, either. When these things happen, companies can expect the wrath of a scorned employee.